Matanbuchus drops Cobalt Strike

A new malicious spam campaign spreading malware with the purpose of infecting machines with the Cobalt Strike Beacon. The attack campaign delivers Matanbuchus malware and further spreads Cobalt Strike on already compromised machines that used for lateral movement and payload downloads.

Matanbuchus is the malware-as-a-service p that ate in limelight since 2021. The loader is used to download and launch malware like Qakbot or Cobalt Strike.

The malware has functions of launching custom PowerShell commands, leveraging standalone executables to load the payload in DLL files, and ensuring the persistence of the virus by adding task schedules.

The spammers rely on the lures that pretend to reply to previous email conversations, so the email includes Re: in the subject line. These ongoing campaigns carry ZIP attachments that contain an HTML file that generates another ZIP archive file.

Matanbuchus DLL payloads are two files that get dropped into different locations on the machine. triggers scheduled tasks that maintain persistence on the system and with each reboot. Communication with C2 is also established.

The final stage of the attack is loading the Cobalt Strike payload from the mentioned command and control server. This is what Matanbuchus does to wider exploit the affected machine. This beacon is the second-stage payload in the campaign.

The URL gets clicked on the malicious email, and malicious files get launched, Those ZIP archives get extracted and other archives repeat the extraction chain until the HTTPS traffic for the Matanbuchus DLL is triggered. Other DLL files get executed, and C2 traffic is initiated. The command and control server provides the Cobalt Strike malware payload.

These particular samples have been reported and analyzed. Cobalt Strike is one of many malware strains used in these malicious attacks. It is a tool developed by ethical hackers, at first. However, these cybersecurity tools often fall into the wrong hands and get used in combination with social engineering, unauthorized access tools, network pattern obfuscation, and sophisticated mechanisms.

Indicators of Compromise

• 6d98c8bdb20a85ef44677f3e7eed32c9fee0c18354e3365c28e11cb6130a8794
• 4eaed1357af8b4f757c16d90afb339161ac73fa4b8d867a416664b89a1d0a809
• 3a838c22312f4279f400b7eee63918d9232907a1aa483c824cb8a815150f06e8
• 4c26dbee513067e6d327e4b336b29992fd5270a0a8ecd1e9571378a3fb0bdc60
• 4fe56d88c1170a3d0e025b9d8f7939139a7618b3868eb993037c6e3b52d9d501
• fecfca77593850e4f6deb8090fc35b14366ab27ef0ada833f940b2d4cb381509
• 619356420efd4dc53704fb5eb5c93f1f5d4a0123ed1fdd5ce276a832381de51d
• 915f0d1e9bd1b681d9935af168cb9f1823c738b869fb2c3646f81098a0fe5d95

C2 URLs

• hxxp[:]//kulcha[.]didns[.]ru:8080/Script.php
• hxxp[:]//golden-cheats[.]com/icex/Script.php
• hxxps[:]//r4yza92[.]com/Script.php
• hxxp[:]//62[.]197[.]136[.]240/script.php
• hxxp[:]//funmustsolutions[.]site/wp-includes/icex/Script.php
• hxxps[:]//north[.]ac/pxnel.php
• hxxp[:]//hhj[.]jbk0871[.]fun/study/Script.php

Download URLs

• hxxp[:]//funmustsolutions[.]site/wp-includes/icex/Files/Client.exe
• hxxp[:]//funmustsolutions[.]site/wp-includes/icex/Files/Loader.exe
• hxxp[:]//golden-cheats[.]com/icex/Files/BadforICE.exeBadforICE.exe
• hxxp[:]//golden-cheats[.]com/remote-config.json
• hxxp[:]//golden-cheats[.]com/loader/uploads/InstallerLoader_Wjyhorou.bmp